8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36079

GHSA ID

GHSA-2m6g-crv8-p3c6

EPSS Score

0.67535%

CWE

CWE-200

Published

9/16/2022

Updated

1/30/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36079

CVE-2022-36079: Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Impact

Internal fields (keys used internally by Parse Server, prefixed by _) and protected fields (user defined) can be used as query constraints. Internal and protected fields are removed by Parse Server from query results and are only returned to the client using a valid master key. However, using query constraints, these fields can be guessed by enumerating until Parse Server returns a response object.

Patches

The patch requires the master key to use internal and protected fields as query constraints.

Workarounds

Implement a Parse Cloud Trigger beforeFind and manually remove the query constraints, such as:

Parse.Cloud.beforeFind('TestObject', ({ query }) => {
  for (const key in query._where || []) {
    // Repeat logic for protected fields
    if (key.charAt(0) === '_') {
      delete query._where[key];
    }
  }
});

References

https://github.com/parse-community/parse-server/security/advisories/GHSA-2m6g-crv8-p3c6

(GitHub Advisory)

8.6

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36079

GHSA ID

GHSA-2m6g-crv8-p3c6

EPSS Score

0.67535%

CWE

CWE-200

Published

9/16/2022

Updated

1/30/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
parse-server	npm	< 4.10.14	4.10.14
parse-server	npm	>= 5.0.0, < 5.2.5	5.2.5

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key issues: 1) validateQuery in DatabaseController.js permitted internal/protected fields in queries without master key validation due to insufficient key checks. The commit diff shows the patch added isMaster and update parameters to enforce authorization. 2) RestQuery.js's execute flow did not include denyProtectedFields prior to the fix, leaving protected fields exposed. The addition of denyProtectedFields in the patch confirms this gap. Both functions directly handled query validation/execution and their pre-patch behavior aligns with the vulnerability's mechanics.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Int*rn*l *i*l*s (k*ys us** int*rn*lly *y P*rs* S*rv*r, pr**ix** *y `_`) *n* prot**t** *i*l*s (us*r ***in**) **n ** us** *s qu*ry *onstr*ints. Int*rn*l *n* prot**t** *i*l*s *r* r*mov** *y P*rs* S*rv*r *rom qu*ry r*sults *n* *r* only r*turn

Reasoning

T** vuln*r**ility st*mm** *rom two k*y issu*s: *) v*li**t*Qu*ry in **t***s**ontroll*r.js p*rmitt** int*rn*l/prot**t** *i*l*s in qu*ri*s wit*out m*st*r k*y v*li**tion *u* to insu**i*i*nt k*y ****ks. T** *ommit *i** s*ows t** p*t** ***** isM*st*r *n* u

8.6

Basic Information

Concerned about an active attack path?

CVE-2022-36079: Parse Server vulnerable to brute force guessing of user sensitive data via search patterns

Impact

Patches

Workarounds

References

8.6

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI